stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8181594: Efficient and constant-time modular arithmetic

Browse Source 
Field arithmetic library for crypto algorithms like Poly1305 and X25519

Reviewed-by: xuelei
This commit is contained in:
Adam Petcher 2018-05-08 09:21:51 -04:00
parent 8139cce3e5
commit f15ab37909
11 changed files with 2494 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
src/java.base/share/classes/sun/security/util/math/ImmutableIntegerModuloP.java Normal file
View File

@ -0,0 +1,34 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util.math;
/**
* An interface for immutable integers modulo a prime value.
*/
public interface ImmutableIntegerModuloP extends IntegerModuloP {
}

115
src/java.base/share/classes/sun/security/util/math/IntegerFieldModuloP.java Normal file
View File

@ -0,0 +1,115 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util.math;
import java.math.BigInteger;
/**
* An interface for the field of integers modulo a prime number. An
* implementation of this interface can be used to get properties of the
* field and to produce field elements of type ImmutableIntegerModuloP from
* other objects and representations of field elements.
*/
public interface IntegerFieldModuloP {
/**
* Get the size of the field as a BigInteger. This size is equal to the
* prime modulus used to construct the field.
*
* @return the size of the field.
*/
BigInteger getSize();
/**
* Get the additive identity element 0
*
* @return the additive identity element
*/
ImmutableIntegerModuloP get0();
/**
* Get the multiplicative identity element 1
*
* @return the multiplicative identity element
*/
ImmutableIntegerModuloP get1();
/**
* Get the field element equivalent to the supplied BigInteger value. The
* supplied value may be negative or larger than the modulus that defines
* the field.
*
* @param v a BigInteger value
* @return the field element corresponding to v
*/
ImmutableIntegerModuloP getElement(BigInteger v);
/**
* Get a "small" value according to this implementation. This value may
* be used in optimized forms of some operations to avoid unnecessary
* calculations. For example, multiplication is much faster when it is
* known that one of the numbers fits within a single limb.
*
* The definition of "small", and the range of accepted values, is
* implementation-specific.
*
* @param v the small integer value
* @throws IllegalArgumentException when the value is not small
*/
SmallValue getSmallValue(int v);
/**
* Get a field element from a little-endian unsigned integer stored in an
* array. The entire array will be used, and the supplied value may be
* larger than the modulus that defines the field. The array will not be
* modified.
*
* @param v an array containing a little-endian unsigned integer
* @return the field element corresponding to v
*/
default ImmutableIntegerModuloP getElement(byte[] v) {
return getElement(v, 0, v.length, (byte) 0);
}
/**
* Get a field element from a little-endian unsigned integer stored at the
* specified position in an array. The supplied value may be
* larger than the modulus that defines the field. This method also takes
* a byte which is interpreted as an additional high-order byte of the
* number. The array will not be modified.
*
* @param v an array containing a little-endian unsigned integer
* @param offset the starting position of the integer
* @param length the number of bytes to read
* @param highByte the high-order byte of the number
* @return the field element corresponding to the bytes at the specified
* position
*/
ImmutableIntegerModuloP getElement(byte[] v, int offset, int length,
byte highByte);
}

205
src/java.base/share/classes/sun/security/util/math/IntegerModuloP.java Normal file
View File

@ -0,0 +1,205 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util.math;
import java.math.BigInteger;
/**
* The base interface for integers modulo a prime value. Objects of this
* type may be either mutable or immutable, and subinterfaces can be used
* to specify that an object is mutable or immutable. This type should never
* be used to declare local/member variables, but it may be used for
* formal parameters of a method. None of the methods in this interface
* modify the value of arguments or this.
*
* The behavior of this interface depends on the particular implementation.
* For example, some implementations only support a limited number of add
* operations before each multiply operation. See the documentation of the
* implementation for details.
*
* @see ImmutableIntegerModuloP
* @see MutableIntegerModuloP
*/
public interface IntegerModuloP {
/**
* Get the field associated with this element.
*
* @return the field
*/
IntegerFieldModuloP getField();
/**
* Get the canonical value of this element as a BigInteger. This value
* will always be in the range [0, p), where p is the prime that defines
* the field. This method performs reduction and other computation to
* produce the result.
*
* @return the value as a BigInteger
*/
BigInteger asBigInteger();
/**
* Return this value as a fixed (immutable) element. This method will
* copy the underlying representation if the object is mutable.
*
* @return a fixed element with the same value
*/
ImmutableIntegerModuloP fixed();
/**
* Return this value as a mutable element. This method will always copy
* the underlying representation.
*
* @return a mutable element with the same value
*/
MutableIntegerModuloP mutable();
/**
* Add this field element with the supplied element and return the result.
*
* @param b the sumand
* @return this + b
*/
ImmutableIntegerModuloP add(IntegerModuloP b);
/**
* Compute the additive inverse of the field element
* @return the addditiveInverse (0 - this)
*/
ImmutableIntegerModuloP additiveInverse();
/**
* Multiply this field element with the supplied element and return the
* result.
*
* @param b the multiplicand
* @return this * b
*/
ImmutableIntegerModuloP multiply(IntegerModuloP b);
/**
* Perform an addition modulo a power of two and return the little-endian
* encoding of the result. The value is (this' + b') % 2^(8 * len),
* where this' and b' are the canonical integer values equivalent to
* this and b.
*
* @param b the sumand
* @param len the length of the desired array
* @return a byte array of length len containing the result
*/
default byte[] addModPowerTwo(IntegerModuloP b, int len) {
byte[] result = new byte[len];
addModPowerTwo(b, result);
return result;
}
/**
* Perform an addition modulo a power of two and store the little-endian
* encoding of the result in the supplied array. The value is
* (this' + b') % 2^(8 * result.length), where this' and b' are the
* canonical integer values equivalent to this and b.
*
* @param b the sumand
* @param result an array which stores the result upon return
*/
void addModPowerTwo(IntegerModuloP b, byte[] result);
/**
* Returns the little-endian encoding of this' % 2^(8 * len), where this'
* is the canonical integer value equivalent to this.
*
* @param len the length of the desired array
* @return a byte array of length len containing the result
*/
default byte[] asByteArray(int len) {
byte[] result = new byte[len];
asByteArray(result);
return result;
}
/**
* Places the little-endian encoding of this' % 2^(8 * result.length)
* into the supplied array, where this' is the canonical integer value
* equivalent to this.
*
* @param result an array which stores the result upon return
*/
void asByteArray(byte[] result);
/**
* Compute the multiplicative inverse of this field element.
*
* @return the multiplicative inverse (1 / this)
*/
default ImmutableIntegerModuloP multiplicativeInverse() {
return pow(getField().getSize().subtract(BigInteger.valueOf(2)));
}
/**
* Subtract the supplied element from this one and return the result.
* @param b the subtrahend
*
* @return the difference (this - b)
*/
default ImmutableIntegerModuloP subtract(IntegerModuloP b) {
return add(b.additiveInverse());
}
/**
* Calculate the square of this element and return the result. This method
* should be used instead of a.multiply(a) because implementations may
* include optimizations that only apply to squaring.
*
* @return the product (this * this)
*/
default ImmutableIntegerModuloP square() {
return multiply(this);
}
/**
* Calculate the power this^b and return the result.
*
* @param b the exponent
* @return the value of this^b
*/
default ImmutableIntegerModuloP pow(BigInteger b) {
//Default implementation is square and multiply
MutableIntegerModuloP y = getField().get1().mutable();
MutableIntegerModuloP x = mutable();
int bitLength = b.bitLength();
for (int bit = 0; bit < bitLength; bit++) {
if (b.testBit(bit)) {
// odd
y.setProduct(x);
}
x.setSquare();
}
return y.fixed();
}
}

135
src/java.base/share/classes/sun/security/util/math/MutableIntegerModuloP.java Normal file
View File

@ -0,0 +1,135 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util.math;
import java.nio.ByteBuffer;
/**
* An interface for mutable integers modulo a prime value. This interface
* should be used to improve performance and avoid the allocation of a large
* number of temporary objects.
*
* Methods in this interface that modify the value also return the modified
* element. This structure enables fluent expressions like:
* a.setSum(b).setProduct(c).setDifference(d).setSquare()
*
*/
public interface MutableIntegerModuloP extends IntegerModuloP {
/**
* Swap the value of this with the value of b when swap has the value 1.
* No change is made to either element when swap has the value 0. The
* result is undefined when swap has a value other than 0 or 1. The swap
* parameter is an int (rather than boolean) to allow the implementation
* to perform the swap using branch-free integer arithmetic.
*
* @param b the element to conditionally swap with
* @param swap an int that determines whether to swap
*/
void conditionalSwapWith(MutableIntegerModuloP b, int swap);
/**
* Set the value of this element equal to the value of the supplied
* element. The argument is not modified.
*
* @param v the element whose value should be copied to this
* @return this
*/
MutableIntegerModuloP setValue(IntegerModuloP v);
/**
* Set the value equal to the little-endian unsigned integer stored at the
* specified position in an array. The range of accepted values is
* implementation-specific. This method also takes a byte which is
* interpreted as an additional high-order byte of the number.
*
* @param v an array containing a little-endian unsigned integer
* @param offset the starting position of the integer
* @param length the number of bytes to read
* @param highByte the high-order byte of the number
* @return this
*/
MutableIntegerModuloP setValue(byte[] v, int offset, int length,
byte highByte);
/**
* Set the value equal to the little-endian unsigned integer stored in a
* buffer. The range of accepted values is implementation-specific.
* This method also takes a byte which is interpreted as an additional
* high-order byte of the number.
*
* @param buf a buffer containing a little-endian unsigned integer
* @param length the number of bytes to read
* @param highByte the high-order byte of the number
* @return this
*/
MutableIntegerModuloP setValue(ByteBuffer buf, int length, byte highByte);
/**
* Set the value of this element equal to this * this.
*
* @return this
*/
MutableIntegerModuloP setSquare();
/**
* Set the value of this element equal to this + b. The argument is
* not modified.
*
* @param b the sumand
* @return this
*/
MutableIntegerModuloP setSum(IntegerModuloP b);
/**
* Set the value of this element equal to this - b. The argument is
* not modified.
*
* @param b the subtrahend
* @return this
*/
MutableIntegerModuloP setDifference(IntegerModuloP b);
/**
* Set the value of this element equal to this * b. The argument is
* not modified.
*
* @param b the multiplicand
* @return this
*/
MutableIntegerModuloP setProduct(IntegerModuloP b);
/**
* Set the value of this element equal to this * v. The argument is
* not modified.
*
* @param v the small multiplicand
* @return this
*/
MutableIntegerModuloP setProduct(SmallValue v);
}

38
src/java.base/share/classes/sun/security/util/math/SmallValue.java Normal file
View File

@ -0,0 +1,38 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util.math;
/**
* A "small" value that can be used with the field arithmetic library. This
* interface enables optimizations based on the fact that certain values are
* known to be small, where the definition of small is specific to the the
* arithmetic implementation.
*/
public interface SmallValue {
}

576
src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomial.java Normal file
View File

@ -0,0 +1,576 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util.math.intpoly;
import sun.security.util.math.*;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.util.Arrays;
/**
* A large number polynomial representation using sparse limbs of signed
* long (64-bit) values. Limb values will always fit within a long, so inputs
* to multiplication must be less than 32 bits. All IntegerPolynomial
* implementations allow at most one addition before multiplication. Additions
* after that will result in an ArithmeticException.
*
* The following element operations are branch-free for all subclasses:
*
* fixed
* mutable
* add
* additiveInverse
* multiply
* square
* subtract
* conditionalSwapWith
* setValue (may branch on high-order byte parameter only)
* setSum
* setDifference
* setProduct
* setSquare
*
* All other operations may branch in some subclasses.
*
*/
public abstract class IntegerPolynomial implements IntegerFieldModuloP {
protected static final BigInteger TWO = BigInteger.valueOf(2);
protected final int numLimbs;
private final BigInteger modulus;
protected final int bitsPerLimb;
// must work when a==r
protected abstract void multByInt(long[] a, long b, long[] r);
// must work when a==r
protected abstract void mult(long[] a, long[] b, long[] r);
// must work when a==r
protected abstract void square(long[] a, long[] r);
IntegerPolynomial(int bitsPerLimb,
int numLimbs,
BigInteger modulus) {
this.numLimbs = numLimbs;
this.modulus = modulus;
this.bitsPerLimb = bitsPerLimb;
}
protected int getNumLimbs() {
return numLimbs;
}
@Override
public BigInteger getSize() {
return modulus;
}
@Override
public ImmutableElement get0() {
return new ImmutableElement(false);
}
@Override
public ImmutableElement get1() {
return new ImmutableElement(true);
}
@Override
public ImmutableElement getElement(BigInteger v) {
return new ImmutableElement(v);
}
@Override
public SmallValue getSmallValue(int value) {
int maxMag = 1 << (bitsPerLimb - 1);
if (Math.abs(value) >= maxMag) {
throw new IllegalArgumentException(
"max magnitude is " + maxMag);
}
return new Limb(value);
}
/**
* This version of encode takes a ByteBuffer that is properly ordered, and
* may extract larger values (e.g. long) from the ByteBuffer for better
* performance. The implementation below only extracts bytes from the
* buffer, but this method may be overridden in field-specific
* implementations.
*/
protected void encode(ByteBuffer buf, int length, byte highByte,
long[] result) {
int numHighBits = 32 - Integer.numberOfLeadingZeros(highByte);
int numBits = 8 * length + numHighBits;
int maxBits = bitsPerLimb * result.length;
if (numBits > maxBits) {
throw new ArithmeticException("Value is too large.");
}
int limbIndex = 0;
long curLimbValue = 0;
int bitPos = 0;
for (int i = 0; i < length; i++) {
long curV = buf.get() & 0xFF;
if (bitPos + 8 >= bitsPerLimb) {
int bitsThisLimb = bitsPerLimb - bitPos;
curLimbValue += (curV & (0xFF >> (8 - bitsThisLimb))) << bitPos;
result[limbIndex++] = curLimbValue;
curLimbValue = curV >> bitsThisLimb;
bitPos = 8 - bitsThisLimb;
}
else {
curLimbValue += curV << bitPos;
bitPos += 8;
}
}
// one more for the high byte
if (highByte != 0) {
long curV = highByte & 0xFF;
if (bitPos + 8 >= bitsPerLimb) {
int bitsThisLimb = bitsPerLimb - bitPos;
curLimbValue += (curV & (0xFF >> (8 - bitsThisLimb))) << bitPos;
result[limbIndex++] = curLimbValue;
curLimbValue = curV >> bitsThisLimb;
}
else {
curLimbValue += curV << bitPos;
}
}
if (limbIndex < numLimbs) {
result[limbIndex++] = curLimbValue;
}
Arrays.fill(result, limbIndex, numLimbs, 0);
postEncodeCarry(result);
}
protected void encode(byte[] v, int offset, int length, byte highByte,
long[] result) {
ByteBuffer buf = ByteBuffer.wrap(v, offset, length);
buf.order(ByteOrder.LITTLE_ENDIAN);
encode(buf, length, highByte, result);
}
protected void postEncodeCarry(long[] v) {
carry(v);
}
public ImmutableElement getElement(byte[] v, int offset, int length,
byte highByte) {
long[] result = new long[numLimbs];
encode(v, offset, length, highByte, result);
return new ImmutableElement(result, true);
}
protected BigInteger evaluate(long[] limbs) {
BigInteger result = BigInteger.ZERO;
for (int i = limbs.length - 1; i >= 0; i--) {
result = result.shiftLeft(bitsPerLimb)
.add(BigInteger.valueOf(limbs[i]));
}
return result.mod(modulus);
}
protected long carryValue(long x) {
// compressing carry operation
// if large positive number, carry one more to make it negative
// if large negative number (closer to zero), carry one fewer
return (x + (1 << (bitsPerLimb - 1))) >> bitsPerLimb;
}
protected void carry(long[] limbs, int start, int end) {
for (int i = start; i < end; i++) {
long carry = carryOut(limbs, i);
limbs[i + 1] += carry;
}
}
protected void carry(long[] limbs) {
carry(limbs, 0, limbs.length - 1);
}
// carry out of the specified position and return the carry value
protected long carryOut(long[] limbs, int index) {
long carry = carryValue(limbs[index]);
limbs[index] -= (carry << bitsPerLimb);
return carry;
}
private void setLimbsValue(BigInteger v, long[] limbs) {
// set all limbs positive, and then carry
setLimbsValuePositive(v, limbs);
carry(limbs);
}
protected void setLimbsValuePositive(BigInteger v, long[] limbs) {
BigInteger mod = BigInteger.valueOf(1 << bitsPerLimb);
for (int i = 0; i < limbs.length; i++) {
limbs[i] = v.mod(mod).longValue();
v = v.shiftRight(bitsPerLimb);
}
}
// v must be final reduced. I.e. all limbs in [0, bitsPerLimb)
// and value in [0, modulus)
protected void decode(long[] v, byte[] dst, int offset, int length) {
int nextLimbIndex = 0;
long curLimbValue = v[nextLimbIndex++];
int bitPos = 0;
for (int i = 0; i < length; i++) {
int dstIndex = i + offset;
if (bitPos + 8 >= bitsPerLimb) {
dst[dstIndex] = (byte) curLimbValue;
curLimbValue = v[nextLimbIndex++];
int bitsAdded = bitsPerLimb - bitPos;
int bitsLeft = 8 - bitsAdded;
dst[dstIndex] += (curLimbValue & (0xFF >> bitsAdded))
<< bitsAdded;
curLimbValue >>= bitsLeft;
bitPos = bitsLeft;
} else {
dst[dstIndex] = (byte) curLimbValue;
curLimbValue >>= 8;
bitPos += 8;
}
}
}
protected void addLimbs(long[] a, long[] b, long[] dst) {
for (int i = 0; i < dst.length; i++) {
dst[i] = a[i] + b[i];
}
}
protected static void conditionalSwap(int swap, long[] a, long[] b) {
int maskValue = 0 - swap;
for (int i = 0; i < a.length; i++) {
long dummyLimbs = maskValue & (a[i] ^ b[i]);
a[i] = dummyLimbs ^ a[i];
b[i] = dummyLimbs ^ b[i];
}
}
private void bigIntToByteArray(BigInteger bi, byte[] result) {
byte[] biBytes = bi.toByteArray();
// biBytes is backwards and possibly too big
// Copy the low-order bytes into result in reverse
int sourceIndex = biBytes.length - 1;
for (int i = 0; i < result.length; i++) {
if (sourceIndex >= 0) {
result[i] = biBytes[sourceIndex--];
}
else {
result[i] = 0;
}
}
}
protected void limbsToByteArray(long[] limbs, byte[] result) {
bigIntToByteArray(evaluate(limbs), result);
}
protected void addLimbsModPowerTwo(long[] limbs, long[] other,
byte[] result) {
BigInteger bi1 = evaluate(limbs);
BigInteger bi2 = evaluate(other);
BigInteger biResult = bi1.add(bi2);
bigIntToByteArray(biResult, result);
}
private abstract class Element implements IntegerModuloP {
protected long[] limbs;
protected boolean summand = false;
public Element(BigInteger v) {
limbs = new long[numLimbs];
setValue(v);
}
public Element(boolean v) {
limbs = new long[numLimbs];
limbs[0] = v ? 1l : 0l;
summand = true;
}
private Element(long[] limbs, boolean summand) {
this.limbs = limbs;
this.summand = summand;
}
private void setValue(BigInteger v) {
setLimbsValue(v, limbs);
summand = true;
}
@Override
public IntegerFieldModuloP getField() {
return IntegerPolynomial.this;
}
@Override
public BigInteger asBigInteger() {
return evaluate(limbs);
}
@Override
public MutableElement mutable() {
return new MutableElement(limbs.clone(), summand);
}
@Override
public ImmutableElement add(IntegerModuloP genB) {
Element b = (Element) genB;
if (!(summand && b.summand)) {
throw new ArithmeticException("Not a valid summand");
}
long[] newLimbs = new long[limbs.length];
for (int i = 0; i < limbs.length; i++) {
newLimbs[i] = limbs[i] + b.limbs[i];
}
return new ImmutableElement(newLimbs, false);
}
@Override
public ImmutableElement additiveInverse() {
long[] newLimbs = new long[limbs.length];
for (int i = 0; i < limbs.length; i++) {
newLimbs[i] = -limbs[i];
}
ImmutableElement result = new ImmutableElement(newLimbs, summand);
return result;
}
protected long[] cloneLow(long[] limbs) {
long[] newLimbs = new long[numLimbs];
copyLow(limbs, newLimbs);
return newLimbs;
}
protected void copyLow(long[] limbs, long[] out) {
System.arraycopy(limbs, 0, out, 0, out.length);
}
@Override
public ImmutableElement multiply(IntegerModuloP genB) {
Element b = (Element) genB;
long[] newLimbs = new long[limbs.length];
mult(limbs, b.limbs, newLimbs);
return new ImmutableElement(newLimbs, true);
}
@Override
public ImmutableElement square() {
long[] newLimbs = new long[limbs.length];
IntegerPolynomial.this.square(limbs, newLimbs);
return new ImmutableElement(newLimbs, true);
}
public void addModPowerTwo(IntegerModuloP arg, byte[] result) {
if (!summand) {
throw new ArithmeticException("Not a valid summand");
}
Element other = (Element) arg;
addLimbsModPowerTwo(limbs, other.limbs, result);
}
public void asByteArray(byte[] result) {
if (!summand) {
throw new ArithmeticException("Not a valid summand");
}
limbsToByteArray(limbs, result);
}
}
private class MutableElement extends Element
implements MutableIntegerModuloP {
protected MutableElement(long[] limbs, boolean summand) {
super(limbs, summand);
}
@Override
public ImmutableElement fixed() {
return new ImmutableElement(limbs.clone(), summand);
}
@Override
public void conditionalSwapWith(MutableIntegerModuloP b, int swap) {
MutableElement other = (MutableElement) b;
conditionalSwap(swap, limbs, other.limbs);
boolean summandTemp = summand;
summand = other.summand;
other.summand = summandTemp;
}
@Override
public MutableElement setValue(IntegerModuloP v) {
Element other = (Element) v;
System.arraycopy(other.limbs, 0, limbs, 0, other.limbs.length);
summand = other.summand;
return this;
}
@Override
public MutableElement setValue(byte[] arr, int offset,
int length, byte highByte) {
encode(arr, offset, length, highByte, limbs);
summand = true;
return this;
}
@Override
public MutableElement setValue(ByteBuffer buf, int length,
byte highByte) {
encode(buf, length, highByte, limbs);
summand = true;
return this;
}
@Override
public MutableElement setProduct(IntegerModuloP genB) {
Element b = (Element) genB;
mult(limbs, b.limbs, limbs);
summand = true;
return this;
}
@Override
public MutableElement setProduct(SmallValue v) {
int value = ((Limb) v).value;
multByInt(limbs, value, limbs);
summand = true;
return this;
}
@Override
public MutableElement setSum(IntegerModuloP genB) {
Element b = (Element) genB;
if (!(summand && b.summand)) {
throw new ArithmeticException("Not a valid summand");
}
for (int i = 0; i < limbs.length; i++) {
limbs[i] = limbs[i] + b.limbs[i];
}
summand = false;
return this;
}
@Override
public MutableElement setDifference(IntegerModuloP genB) {
Element b = (Element) genB;
if (!(summand && b.summand)) {
throw new ArithmeticException("Not a valid summand");
}
for (int i = 0; i < limbs.length; i++) {
limbs[i] = limbs[i] - b.limbs[i];
}
return this;
}
@Override
public MutableElement setSquare() {
IntegerPolynomial.this.square(limbs, limbs);
summand = true;
return this;
}
}
class ImmutableElement extends Element implements ImmutableIntegerModuloP {
protected ImmutableElement(BigInteger v) {
super(v);
}
protected ImmutableElement(boolean v) {
super(v);
}
protected ImmutableElement(long[] limbs, boolean summand) {
super(limbs, summand);
}
@Override
public ImmutableElement fixed() {
return this;
}
}
class Limb implements SmallValue {
int value;
Limb(int value) {
this.value = value;
}
}
}

301
src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomial1305.java Normal file
View File

@ -0,0 +1,301 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util.math.intpoly;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.VarHandle;
import java.math.BigInteger;
import java.nio.*;
/**
* An IntegerFieldModuloP designed for use with the Poly1305 authenticator.
* The representation uses 5 signed long values.
*
* In addition to the branch-free operations specified in the parent class,
* the following operations are branch-free:
*
* addModPowerTwo
* asByteArray
*
*/
public class IntegerPolynomial1305 extends IntegerPolynomial {
protected static final int SUBTRAHEND = 5;
protected static final int NUM_LIMBS = 5;
private static final int POWER = 130;
private static final int BITS_PER_LIMB = 26;
private static final BigInteger MODULUS
= TWO.pow(POWER).subtract(BigInteger.valueOf(SUBTRAHEND));
private final long[] posModLimbs;
private long[] setPosModLimbs() {
long[] result = new long[NUM_LIMBS];
setLimbsValuePositive(MODULUS, result);
return result;
}
public IntegerPolynomial1305() {
super(BITS_PER_LIMB, NUM_LIMBS, MODULUS);
posModLimbs = setPosModLimbs();
}
protected void mult(long[] a, long[] b, long[] r) {
// Use grade-school multiplication into primitives to avoid the
// temporary array allocation. This is equivalent to the following
// code:
// long[] c = new long[2 * NUM_LIMBS - 1];
// for(int i = 0; i < NUM_LIMBS; i++) {
// for(int j - 0; j < NUM_LIMBS; j++) {
// c[i + j] += a[i] * b[j]
// }
// }
long c0 = (a[0] * b[0]);
long c1 = (a[0] * b[1]) + (a[1] * b[0]);
long c2 = (a[0] * b[2]) + (a[1] * b[1]) + (a[2] * b[0]);
long c3 = (a[0] * b[3]) + (a[1] * b[2]) + (a[2] * b[1]) + (a[3] * b[0]);
long c4 = (a[0] * b[4]) + (a[1] * b[3]) + (a[2] * b[2]) + (a[3] * b[1]) + (a[4] * b[0]);
long c5 = (a[1] * b[4]) + (a[2] * b[3]) + (a[3] * b[2]) + (a[4] * b[1]);
long c6 = (a[2] * b[4]) + (a[3] * b[3]) + (a[4] * b[2]);
long c7 = (a[3] * b[4]) + (a[4] * b[3]);
long c8 = (a[4] * b[4]);
carryReduce(r, c0, c1, c2, c3, c4, c5, c6, c7, c8);
}
private void carryReduce(long[] r, long c0, long c1, long c2, long c3,
long c4, long c5, long c6, long c7, long c8) {
//reduce(2, 2)
r[2] = c2 + (c7 * SUBTRAHEND);
c3 += (c8 * SUBTRAHEND);
// carry(3, 2)
long carry3 = carryValue(c3);
r[3] = c3 - (carry3 << BITS_PER_LIMB);
c4 += carry3;
long carry4 = carryValue(c4);
r[4] = c4 - (carry4 << BITS_PER_LIMB);
c5 += carry4;
// reduce(0, 2)
r[0] = c0 + (c5 * SUBTRAHEND);
r[1] = c1 + (c6 * SUBTRAHEND);
// carry(0, 4)
carry(r);
}
protected void multByInt(long[] a, long b, long[] r) {
for (int i = 0; i < a.length; i++) {
r[i] = a[i] * b;
}
reduce(r);
}
@Override
protected void square(long[] a, long[] r) {
// Use grade-school multiplication with a simple squaring optimization.
// Multiply into primitives to avoid the temporary array allocation.
// This is equivalent to the following code:
// long[] c = new long[2 * NUM_LIMBS - 1];
// for(int i = 0; i < NUM_LIMBS; i++) {
// c[2 * i] = a[i] * a[i];
// for(int j = i + 1; j < NUM_LIMBS; j++) {
// c[i + j] += 2 * a[i] * a[j]
// }
// }
long c0 = (a[0] * a[0]);
long c1 = 2 * (a[0] * a[1]);
long c2 = 2 * (a[0] * a[2]) + (a[1] * a[1]);
long c3 = 2 * (a[0] * a[3] + a[1] * a[2]);
long c4 = 2 * (a[0] * a[4] + a[1] * a[3]) + (a[2] * a[2]);
long c5 = 2 * (a[1] * a[4] + a[2] * a[3]);
long c6 = 2 * (a[2] * a[4]) + (a[3] * a[3]);
long c7 = 2 * (a[3] * a[4]);
long c8 = (a[4] * a[4]);
carryReduce(r, c0, c1, c2, c3, c4, c5, c6, c7, c8);
}
@Override
protected void encode(ByteBuffer buf, int length, byte highByte,
long[] result) {
if (length == 16) {
long low = buf.getLong();
long high = buf.getLong();
encode(high, low, highByte, result);
} else {
super.encode(buf, length, highByte, result);
}
}
protected void encode(long high, long low, byte highByte, long[] result) {
result[0] = low & 0x3FFFFFFL;
result[1] = (low >>> 26) & 0x3FFFFFFL;
result[2] = (low >>> 52) + ((high & 0x3FFFL) << 12);
result[3] = (high >>> 14) & 0x3FFFFFFL;
result[4] = (high >>> 40) + (highByte << 24L);
}
private static final VarHandle AS_LONG_LE = MethodHandles
.byteArrayViewVarHandle(long[].class, ByteOrder.LITTLE_ENDIAN);
protected void encode(byte[] v, int offset, int length, byte highByte,
long[] result) {
if (length == 16) {
long low = (long) AS_LONG_LE.get(v, offset);
long high = (long) AS_LONG_LE.get(v, offset + 8);
encode(high, low, highByte, result);
} else {
super.encode(v, offset, length, highByte, result);
}
}
protected void modReduceIn(long[] limbs, int index, long x) {
// this only works when BITS_PER_LIMB * NUM_LIMBS = POWER exactly
long reducedValue = (x * SUBTRAHEND);
limbs[index - NUM_LIMBS] += reducedValue;
}
protected final void modReduce(long[] limbs, int start, int end) {
for (int i = start; i < end; i++) {
modReduceIn(limbs, i, limbs[i]);
limbs[i] = 0;
}
}
protected void modReduce(long[] limbs) {
modReduce(limbs, NUM_LIMBS, NUM_LIMBS - 1);
}
@Override
protected long carryValue(long x) {
// This representation has plenty of extra space, so we can afford to
// do a simplified carry operation that is more time-efficient.
return x >> BITS_PER_LIMB;
}
protected void reduce(long[] limbs) {
long carry3 = carryOut(limbs, 3);
long new4 = carry3 + limbs[4];
long carry4 = carryValue(new4);
limbs[4] = new4 - (carry4 << BITS_PER_LIMB);
modReduceIn(limbs, 5, carry4);
carry(limbs);
}
// Convert reduced limbs into a number between 0 and MODULUS-1
private void finalReduce(long[] limbs) {
addLimbs(limbs, posModLimbs, limbs);
// now all values are positive, so remaining operations will be unsigned
// unsigned carry out of last position and reduce in to first position
long carry = limbs[NUM_LIMBS - 1] >> BITS_PER_LIMB;
limbs[NUM_LIMBS - 1] -= carry << BITS_PER_LIMB;
modReduceIn(limbs, NUM_LIMBS, carry);
// unsigned carry on all positions
carry = 0;
for (int i = 0; i < NUM_LIMBS; i++) {
limbs[i] += carry;
carry = limbs[i] >> BITS_PER_LIMB;
limbs[i] -= carry << BITS_PER_LIMB;
}
// reduce final carry value back in
modReduceIn(limbs, NUM_LIMBS, carry);
// we only reduce back in a nonzero value if some value was carried out
// of the previous loop. So at least one remaining value is small.
// One more carry is all that is necessary. Nothing will be carried out
// at the end
carry = 0;
for (int i = 0; i < NUM_LIMBS; i++) {
limbs[i] += carry;
carry = limbs[i] >> BITS_PER_LIMB;
limbs[i] -= carry << BITS_PER_LIMB;
}
// limbs are positive and all less than 2^BITS_PER_LIMB
// but the value may be greater than the MODULUS.
// Subtract the max limb values only if all limbs end up non-negative
int smallerNonNegative = 1;
long[] smaller = new long[NUM_LIMBS];
for (int i = NUM_LIMBS - 1; i >= 0; i--) {
smaller[i] = limbs[i] - posModLimbs[i];
// expression on right is 1 if smaller[i] is nonnegative,
// 0 otherwise
smallerNonNegative *= (int) (smaller[i] >> 63) + 1;
}
conditionalSwap(smallerNonNegative, limbs, smaller);
}
@Override
protected void limbsToByteArray(long[] limbs, byte[] result) {
long[] reducedLimbs = limbs.clone();
finalReduce(reducedLimbs);
decode(reducedLimbs, result, 0, result.length);
}
@Override
protected void addLimbsModPowerTwo(long[] limbs, long[] other,
byte[] result) {
long[] reducedOther = other.clone();
long[] reducedLimbs = limbs.clone();
finalReduce(reducedLimbs);
addLimbs(reducedLimbs, reducedOther, reducedLimbs);
// may carry out a value which can be ignored
long carry = 0;
for (int i = 0; i < NUM_LIMBS; i++) {
reducedLimbs[i] += carry;
carry = reducedLimbs[i] >> BITS_PER_LIMB;
reducedLimbs[i] -= carry << BITS_PER_LIMB;
}
decode(reducedLimbs, result, 0, result.length);
}
}

204
src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomial25519.java Normal file
View File

@ -0,0 +1,204 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util.math.intpoly;
import java.math.BigInteger;
public class IntegerPolynomial25519 extends IntegerPolynomial {
private static final int POWER = 255;
private static final int SUBTRAHEND = 19;
private static final int NUM_LIMBS = 10;
private static final int BITS_PER_LIMB = 26;
public static final BigInteger MODULUS
= TWO.pow(POWER).subtract(BigInteger.valueOf(SUBTRAHEND));
// BITS_PER_LIMB does not divide POWER, so reduction is a bit complicated
// The constants below help split up values during reduction
private static final int BIT_OFFSET = NUM_LIMBS * BITS_PER_LIMB - POWER;
private static final int LIMB_MASK = -1 >>> (64 - BITS_PER_LIMB);
private static final int RIGHT_BIT_OFFSET = BITS_PER_LIMB - BIT_OFFSET;
public IntegerPolynomial25519() {
super(BITS_PER_LIMB, NUM_LIMBS, MODULUS);
}
@Override
protected void mult(long[] a, long[] b, long[] r) {
// Use grade-school multiplication into primitives to avoid the
// temporary array allocation. This is equivalent to the following
// code:
// long[] c = new long[2 * NUM_LIMBS - 1];
// for(int i = 0; i < NUM_LIMBS; i++) {
// for(int j - 0; j < NUM_LIMBS; j++) {
// c[i + j] += a[i] * b[j]
// }
// }
long c0 = (a[0] * b[0]);
long c1 = (a[0] * b[1]) + (a[1] * b[0]);
long c2 = (a[0] * b[2]) + (a[1] * b[1]) + (a[2] * b[0]);
long c3 = (a[0] * b[3]) + (a[1] * b[2]) + (a[2] * b[1]) + (a[3] * b[0]);
long c4 = (a[0] * b[4]) + (a[1] * b[3]) + (a[2] * b[2]) + (a[3] * b[1]) + (a[4] * b[0]);
long c5 = (a[0] * b[5]) + (a[1] * b[4]) + (a[2] * b[3]) + (a[3] * b[2]) + (a[4] * b[1]) + (a[5] * b[0]);
long c6 = (a[0] * b[6]) + (a[1] * b[5]) + (a[2] * b[4]) + (a[3] * b[3]) + (a[4] * b[2]) + (a[5] * b[1]) + (a[6] * b[0]);
long c7 = (a[0] * b[7]) + (a[1] * b[6]) + (a[2] * b[5]) + (a[3] * b[4]) + (a[4] * b[3]) + (a[5] * b[2]) + (a[6] * b[1]) + (a[7] * b[0]);
long c8 = (a[0] * b[8]) + (a[1] * b[7]) + (a[2] * b[6]) + (a[3] * b[5]) + (a[4] * b[4]) + (a[5] * b[3]) + (a[6] * b[2]) + (a[7] * b[1]) + (a[8] * b[0]);
long c9 = (a[0] * b[9]) + (a[1] * b[8]) + (a[2] * b[7]) + (a[3] * b[6]) + (a[4] * b[5]) + (a[5] * b[4]) + (a[6] * b[3]) + (a[7] * b[2]) + (a[8] * b[1]) + (a[9] * b[0]);
long c10 = (a[1] * b[9]) + (a[2] * b[8]) + (a[3] * b[7]) + (a[4] * b[6]) + (a[5] * b[5]) + (a[6] * b[4]) + (a[7] * b[3]) + (a[8] * b[2]) + (a[9] * b[1]);
long c11 = (a[2] * b[9]) + (a[3] * b[8]) + (a[4] * b[7]) + (a[5] * b[6]) + (a[6] * b[5]) + (a[7] * b[4]) + (a[8] * b[3]) + (a[9] * b[2]);
long c12 = (a[3] * b[9]) + (a[4] * b[8]) + (a[5] * b[7]) + (a[6] * b[6]) + (a[7] * b[5]) + (a[8] * b[4]) + (a[9] * b[3]);
long c13 = (a[4] * b[9]) + (a[5] * b[8]) + (a[6] * b[7]) + (a[7] * b[6]) + (a[8] * b[5]) + (a[9] * b[4]);
long c14 = (a[5] * b[9]) + (a[6] * b[8]) + (a[7] * b[7]) + (a[8] * b[6]) + (a[9] * b[5]);
long c15 = (a[6] * b[9]) + (a[7] * b[8]) + (a[8] * b[7]) + (a[9] * b[6]);
long c16 = (a[7] * b[9]) + (a[8] * b[8]) + (a[9] * b[7]);
long c17 = (a[8] * b[9]) + (a[9] * b[8]);
long c18 = a[9] * b[9];
carryReduce(r, c0, c1, c2, c3, c4, c5, c6, c7, c8,
c9, c10, c11, c12, c13, c14, c15, c16, c17, c18);
}
private void carryReduce(long[] r, long c0, long c1, long c2,
long c3, long c4, long c5, long c6,
long c7, long c8, long c9, long c10,
long c11, long c12, long c13, long c14,
long c15, long c16, long c17, long c18) {
// reduce(7,2)
long reducedValue17 = (c17 * SUBTRAHEND);
c7 += (reducedValue17 << BIT_OFFSET) & LIMB_MASK;
c8 += reducedValue17 >> RIGHT_BIT_OFFSET;
long reducedValue18 = (c18 * SUBTRAHEND);
c8 += (reducedValue18 << BIT_OFFSET) & LIMB_MASK;
c9 += reducedValue18 >> RIGHT_BIT_OFFSET;
// carry(8,2)
long carry8 = carryValue(c8);
r[8] = c8 - (carry8 << BITS_PER_LIMB);
c9 += carry8;
long carry9 = carryValue(c9);
r[9] = c9 - (carry9 << BITS_PER_LIMB);
c10 += carry9;
// reduce(0,7)
long reducedValue10 = (c10 * SUBTRAHEND);
r[0] = c0 + ((reducedValue10 << BIT_OFFSET) & LIMB_MASK);
c1 += reducedValue10 >> RIGHT_BIT_OFFSET;
long reducedValue11 = (c11 * SUBTRAHEND);
r[1] = c1 + ((reducedValue11 << BIT_OFFSET) & LIMB_MASK);
c2 += reducedValue11 >> RIGHT_BIT_OFFSET;
long reducedValue12 = (c12 * SUBTRAHEND);
r[2] = c2 + ((reducedValue12 << BIT_OFFSET) & LIMB_MASK);
c3 += reducedValue12 >> RIGHT_BIT_OFFSET;
long reducedValue13 = (c13 * SUBTRAHEND);
r[3] = c3 + ((reducedValue13 << BIT_OFFSET) & LIMB_MASK);
c4 += reducedValue13 >> RIGHT_BIT_OFFSET;
long reducedValue14 = (c14 * SUBTRAHEND);
r[4] = c4 + ((reducedValue14 << BIT_OFFSET) & LIMB_MASK);
c5 += reducedValue14 >> RIGHT_BIT_OFFSET;
long reducedValue15 = (c15 * SUBTRAHEND);
r[5] = c5 + ((reducedValue15 << BIT_OFFSET) & LIMB_MASK);
c6 += reducedValue15 >> RIGHT_BIT_OFFSET;
long reducedValue16 = (c16 * SUBTRAHEND);
r[6] = c6 + ((reducedValue16 << BIT_OFFSET) & LIMB_MASK);
r[7] = c7 + (reducedValue16 >> RIGHT_BIT_OFFSET);
// carry(0,9)
carry(r, 0, 9);
}
protected void multByInt(long[] a, long b, long[] r) {
for (int i = 0; i < a.length; i++) {
r[i] = a[i] * b;
}
// carry(8, 2)
long carry8 = carryValue(r[8]);
r[8] -= (carry8 << BITS_PER_LIMB);
r[9] += carry8;
long carry9 = carryValue(r[9]);
r[9] -= (carry9 << BITS_PER_LIMB);
// reduce(0, 1)
long reducedValue10 = (carry9 * SUBTRAHEND);
r[0] += ((reducedValue10 << BIT_OFFSET) & LIMB_MASK);
r[1] += reducedValue10 >> RIGHT_BIT_OFFSET;
// carry(0, 9)
carry(r, 0, 9);
}
@Override
protected void square(long[] a, long[] r) {
// Use grade-school multiplication with a simple squaring optimization.
// Multiply into primitives to avoid the temporary array allocation.
// This is equivalent to the following code:
// long[] c = new long[2 * NUM_LIMBS - 1];
// for(int i = 0; i < NUM_LIMBS; i++) {
// c[2 * i] = a[i] * a[i];
// for(int j = i + 1; j < NUM_LIMBS; j++) {
// c[i + j] += 2 * a[i] * a[j]
// }
// }
long c0 = a[0] * a[0];
long c1 = 2 * a[0] * a[1];
long c2 = a[1] * a[1] + 2 * a[0] * a[2];
long c3 = 2 * (a[0] * a[3] + a[1] * a[2]);
long c4 = a[2] * a[2] + 2 * (a[0] * a[4] + a[1] * a[3]);
long c5 = 2 * (a[0] * a[5] + a[1] * a[4] + a[2] * a[3]);
long c6 = a[3] * a[3] + 2 * (a[0] * a[6] + a[1] * a[5] + a[2] * a[4]);
long c7 = 2 * (a[0] * a[7] + a[1] * a[6] + a[2] * a[5] + a[3] * a[4]);
long c8 = a[4] * a[4] + 2 * (a[0] * a[8] + a[1] * a[7] + a[2] * a[6] + a[3] * a[5]);
long c9 = 2 * (a[0] * a[9] + a[1] * a[8] + a[2] * a[7] + a[3] * a[6] + a[4] * a[5]);
long c10 = a[5] * a[5] + 2 * (a[1] * a[9] + a[2] * a[8] + a[3] * a[7] + a[4] * a[6]);
long c11 = 2 * (a[2] * a[9] + a[3] * a[8] + a[4] * a[7] + a[5] * a[6]);
long c12 = a[6] * a[6] + 2 * (a[3] * a[9] + a[4] * a[8] + a[5] * a[7]);
long c13 = 2 * (a[4] * a[9] + a[5] * a[8] + a[6] * a[7]);
long c14 = a[7] * a[7] + 2 * (a[5] * a[9] + a[6] * a[8]);
long c15 = 2 * (a[6] * a[9] + a[7] * a[8]);
long c16 = a[8] * a[8] + 2 * a[7] * a[9];
long c17 = 2 * a[8] * a[9];
long c18 = a[9] * a[9];
carryReduce(r, c0, c1, c2, c3, c4, c5, c6, c7, c8,
c9, c10, c11, c12, c13, c14, c15, c16, c17, c18);
}
}

236
src/java.base/share/classes/sun/security/util/math/intpoly/IntegerPolynomial448.java Normal file
View File

@ -0,0 +1,236 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.util.math.intpoly;
import java.math.BigInteger;
public class IntegerPolynomial448 extends IntegerPolynomial {
private static final int POWER = 448;
private static final int NUM_LIMBS = 16;
private static final int BITS_PER_LIMB = 28;
public static final BigInteger MODULUS
= TWO.pow(POWER).subtract(TWO.pow(POWER / 2))
.subtract(BigInteger.valueOf(1));
public IntegerPolynomial448() {
super(BITS_PER_LIMB, NUM_LIMBS, MODULUS);
}
@Override
protected void mult(long[] a, long[] b, long[] r) {
// Use grade-school multiplication into primitives to avoid the
// temporary array allocation. This is equivalent to the following
// code:
// long[] c = new long[2 * NUM_LIMBS - 1];
// for(int i = 0; i < NUM_LIMBS; i++) {
// for(int j - 0; j < NUM_LIMBS; j++) {
// c[i + j] += a[i] * b[j]
// }
// }
long c0 = (a[0] * b[0]);
long c1 = (a[0] * b[1]) + (a[1] * b[0]);
long c2 = (a[0] * b[2]) + (a[1] * b[1]) + (a[2] * b[0]);
long c3 = (a[0] * b[3]) + (a[1] * b[2]) + (a[2] * b[1]) + (a[3] * b[0]);
long c4 = (a[0] * b[4]) + (a[1] * b[3]) + (a[2] * b[2]) + (a[3] * b[1]) + (a[4] * b[0]);
long c5 = (a[0] * b[5]) + (a[1] * b[4]) + (a[2] * b[3]) + (a[3] * b[2]) + (a[4] * b[1]) + (a[5] * b[0]);
long c6 = (a[0] * b[6]) + (a[1] * b[5]) + (a[2] * b[4]) + (a[3] * b[3]) + (a[4] * b[2]) + (a[5] * b[1]) + (a[6] * b[0]);
long c7 = (a[0] * b[7]) + (a[1] * b[6]) + (a[2] * b[5]) + (a[3] * b[4]) + (a[4] * b[3]) + (a[5] * b[2]) + (a[6] * b[1]) + (a[7] * b[0]);
long c8 = (a[0] * b[8]) + (a[1] * b[7]) + (a[2] * b[6]) + (a[3] * b[5]) + (a[4] * b[4]) + (a[5] * b[3]) + (a[6] * b[2]) + (a[7] * b[1]) + (a[8] * b[0]);
long c9 = (a[0] * b[9]) + (a[1] * b[8]) + (a[2] * b[7]) + (a[3] * b[6]) + (a[4] * b[5]) + (a[5] * b[4]) + (a[6] * b[3]) + (a[7] * b[2]) + (a[8] * b[1]) + (a[9] * b[0]);
long c10 = (a[0] * b[10]) + (a[1] * b[9]) + (a[2] * b[8]) + (a[3] * b[7]) + (a[4] * b[6]) + (a[5] * b[5]) + (a[6] * b[4]) + (a[7] * b[3]) + (a[8] * b[2]) + (a[9] * b[1]) + (a[10] * b[0]);
long c11 = (a[0] * b[11]) + (a[1] * b[10]) + (a[2] * b[9]) + (a[3] * b[8]) + (a[4] * b[7]) + (a[5] * b[6]) + (a[6] * b[5]) + (a[7] * b[4]) + (a[8] * b[3]) + (a[9] * b[2]) + (a[10] * b[1]) + (a[11] * b[0]);
long c12 = (a[0] * b[12]) + (a[1] * b[11]) + (a[2] * b[10]) + (a[3] * b[9]) + (a[4] * b[8]) + (a[5] * b[7]) + (a[6] * b[6]) + (a[7] * b[5]) + (a[8] * b[4]) + (a[9] * b[3]) + (a[10] * b[2]) + (a[11] * b[1]) + (a[12] * b[0]);
long c13 = (a[0] * b[13]) + (a[1] * b[12]) + (a[2] * b[11]) + (a[3] * b[10]) + (a[4] * b[9]) + (a[5] * b[8]) + (a[6] * b[7]) + (a[7] * b[6]) + (a[8] * b[5]) + (a[9] * b[4]) + (a[10] * b[3]) + (a[11] * b[2]) + (a[12] * b[1]) + (a[13] * b[0]);
long c14 = (a[0] * b[14]) + (a[1] * b[13]) + (a[2] * b[12]) + (a[3] * b[11]) + (a[4] * b[10]) + (a[5] * b[9]) + (a[6] * b[8]) + (a[7] * b[7]) + (a[8] * b[6]) + (a[9] * b[5]) + (a[10] * b[4]) + (a[11] * b[3]) + (a[12] * b[2]) + (a[13] * b[1]) + (a[14] * b[0]);
long c15 = (a[0] * b[15]) + (a[1] * b[14]) + (a[2] * b[13]) + (a[3] * b[12]) + (a[4] * b[11]) + (a[5] * b[10]) + (a[6] * b[9]) + (a[7] * b[8]) + (a[8] * b[7]) + (a[9] * b[6]) + (a[10] * b[5]) + (a[11] * b[4]) + (a[12] * b[3]) + (a[13] * b[2]) + (a[14] * b[1]) + (a[15] * b[0]);
long c16 = (a[1] * b[15]) + (a[2] * b[14]) + (a[3] * b[13]) + (a[4] * b[12]) + (a[5] * b[11]) + (a[6] * b[10]) + (a[7] * b[9]) + (a[8] * b[8]) + (a[9] * b[7]) + (a[10] * b[6]) + (a[11] * b[5]) + (a[12] * b[4]) + (a[13] * b[3]) + (a[14] * b[2]) + (a[15] * b[1]);
long c17 = (a[2] * b[15]) + (a[3] * b[14]) + (a[4] * b[13]) + (a[5] * b[12]) + (a[6] * b[11]) + (a[7] * b[10]) + (a[8] * b[9]) + (a[9] * b[8]) + (a[10] * b[7]) + (a[11] * b[6]) + (a[12] * b[5]) + (a[13] * b[4]) + (a[14] * b[3]) + (a[15] * b[2]);
long c18 = (a[3] * b[15]) + (a[4] * b[14]) + (a[5] * b[13]) + (a[6] * b[12]) + (a[7] * b[11]) + (a[8] * b[10]) + (a[9] * b[9]) + (a[10] * b[8]) + (a[11] * b[7]) + (a[12] * b[6]) + (a[13] * b[5]) + (a[14] * b[4]) + (a[15] * b[3]);
long c19 = (a[4] * b[15]) + (a[5] * b[14]) + (a[6] * b[13]) + (a[7] * b[12]) + (a[8] * b[11]) + (a[9] * b[10]) + (a[10] * b[9]) + (a[11] * b[8]) + (a[12] * b[7]) + (a[13] * b[6]) + (a[14] * b[5]) + (a[15] * b[4]);
long c20 = (a[5] * b[15]) + (a[6] * b[14]) + (a[7] * b[13]) + (a[8] * b[12]) + (a[9] * b[11]) + (a[10] * b[10]) + (a[11] * b[9]) + (a[12] * b[8]) + (a[13] * b[7]) + (a[14] * b[6]) + (a[15] * b[5]);
long c21 = (a[6] * b[15]) + (a[7] * b[14]) + (a[8] * b[13]) + (a[9] * b[12]) + (a[10] * b[11]) + (a[11] * b[10]) + (a[12] * b[9]) + (a[13] * b[8]) + (a[14] * b[7]) + (a[15] * b[6]);
long c22 = (a[7] * b[15]) + (a[8] * b[14]) + (a[9] * b[13]) + (a[10] * b[12]) + (a[11] * b[11]) + (a[12] * b[10]) + (a[13] * b[9]) + (a[14] * b[8]) + (a[15] * b[7]);
long c23 = (a[8] * b[15]) + (a[9] * b[14]) + (a[10] * b[13]) + (a[11] * b[12]) + (a[12] * b[11]) + (a[13] * b[10]) + (a[14] * b[9]) + (a[15] * b[8]);
long c24 = (a[9] * b[15]) + (a[10] * b[14]) + (a[11] * b[13]) + (a[12] * b[12]) + (a[13] * b[11]) + (a[14] * b[10]) + (a[15] * b[9]);
long c25 = (a[10] * b[15]) + (a[11] * b[14]) + (a[12] * b[13]) + (a[13] * b[12]) + (a[14] * b[11]) + (a[15] * b[10]);
long c26 = (a[11] * b[15]) + (a[12] * b[14]) + (a[13] * b[13]) + (a[14] * b[12]) + (a[15] * b[11]);
long c27 = (a[12] * b[15]) + (a[13] * b[14]) + (a[14] * b[13]) + (a[15] * b[12]);
long c28 = (a[13] * b[15]) + (a[14] * b[14]) + (a[15] * b[13]);
long c29 = (a[14] * b[15]) + (a[15] * b[14]);
long c30 = (a[15] * b[15]);
carryReduce(r, c0, c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11, c12,
c13, c14, c15, c16, c17, c18, c19, c20, c21, c22, c23, c24, c25,
c26, c27, c28, c29, c30);
}
private void carryReduce(long[] r, long c0, long c1, long c2, long c3,
long c4, long c5, long c6, long c7, long c8,
long c9, long c10, long c11, long c12, long c13,
long c14, long c15, long c16, long c17, long c18,
long c19, long c20, long c21, long c22, long c23,
long c24, long c25, long c26, long c27, long c28,
long c29, long c30) {
// reduce(8, 7)
c8 += c24;
c16 += c24;
c9 += c25;
c17 += c25;
c10 += c26;
c18 += c26;
c11 += c27;
c19 += c27;
c12 += c28;
c20 += c28;
c13 += c29;
c21 += c29;
c14 += c30;
c22 += c30;
// reduce(4, 4)
r[4] = c4 + c20;
r[12] = c12 + c20;
r[5] = c5 + c21;
r[13] = c13 + c21;
r[6] = c6 + c22;
c14 += c22;
r[7] = c7 + c23;
c15 += c23;
//carry(14, 2)
long carry14 = carryValue(c14);
r[14] = c14 - (carry14 << BITS_PER_LIMB);
c15 += carry14;
long carry15 = carryValue(c15);
r[15] = c15 - (carry15 << BITS_PER_LIMB);
c16 += carry15;
// reduce(0, 4)
r[0] = c0 + c16;
r[8] = c8 + c16;
r[1] = c1 + c17;
r[9] = c9 + c17;
r[2] = c2 + c18;
r[10] = c10 + c18;
r[3] = c3 + c19;
r[11] = c11 + c19;
// carry(0, 15)
carry(r, 0, 15);
}
protected void multByInt(long[] a, long b, long[] r) {
for (int i = 0; i < a.length; i++) {
r[i] = a[i] * b;
}
// carry(14, 2)
long carry14 = carryValue(r[14]);
r[14] -= (carry14 << BITS_PER_LIMB);
r[15] += carry14;
long carry15 = carryValue(r[15]);
r[15] -= (carry15 << BITS_PER_LIMB);
// reduce(0, 1)
r[0] += carry15;
r[8] += carry15;
// carry(0, 15)
carry(r, 0, 15);
}
@Override
protected void square(long[] a, long[] r) {
// Use grade-school multiplication with a simple squaring optimization.
// Multiply into primitives to avoid the temporary array allocation.
// This is equivalent to the following code:
// long[] c = new long[2 * NUM_LIMBS - 1];
// for(int i = 0; i < NUM_LIMBS; i++) {
// c[2 * i] = a[i] * a[i];
// for(int j = i + 1; j < NUM_LIMBS; j++) {
// c[i + j] += 2 * a[i] * a[j]
// }
// }
long c0 = a[0] * a[0];
long c1 = 2 * a[0] * a[1];
long c2 = a[1] * a[1] + 2 * a[0] * a[2];
long c3 = 2 * (a[0] * a[3] + a[1] * a[2]);
long c4 = a[2] * a[2] + 2 * (a[0] * a[4] + a[1] * a[3]);
long c5 = 2 * (a[0] * a[5] + a[1] * a[4] + a[2] * a[3]);
long c6 = a[3] * a[3] + 2 * (a[0] * a[6] + a[1] * a[5] + a[2] * a[4]);
long c7 = 2 * (a[0] * a[7] + a[1] * a[6] + a[2] * a[5] + a[3] * a[4]);
long c8 = a[4] * a[4] + 2 * (a[0] * a[8] + a[1] * a[7] + a[2] * a[6] + a[3] * a[5]);
long c9 = 2 * (a[0] * a[9] + a[1] * a[8] + a[2] * a[7] + a[3] * a[6] + a[4] * a[5]);
long c10 = a[5] * a[5] + 2 * (a[0] * a[10] + a[1] * a[9] + a[2] * a[8] + a[3] * a[7] + a[4] * a[6]);
long c11 = 2 * (a[0] * a[11] + a[1] * a[10] + a[2] * a[9] + a[3] * a[8] + a[4] * a[7] + a[5] * a[6]);
long c12 = a[6] * a[6] + 2 * (a[0] * a[12] + a[1] * a[11] + a[2] * a[10] + a[3] * a[9] + a[4] * a[8] + a[5] * a[7]);
long c13 = 2 * (a[0] * a[13] + a[1] * a[12] + a[2] * a[11] + a[3] * a[10] + a[4] * a[9] + a[5] * a[8] + a[6] * a[7]);
long c14 = a[7] * a[7] + 2 * (a[0] * a[14] + a[1] * a[13] + a[2] * a[12] + a[3] * a[11] + a[4] * a[10] + a[5] * a[9] + a[6] * a[8]);
long c15 = 2 * (a[0] * a[15] + a[1] * a[14] + a[2] * a[13] + a[3] * a[12] + a[4] * a[11] + a[5] * a[10] + a[6] * a[9] + a[7] * a[8]);
long c16 = a[8] * a[8] + 2 * (a[1] * a[15] + a[2] * a[14] + a[3] * a[13] + a[4] * a[12] + a[5] * a[11] + a[6] * a[10] + a[7] * a[9]);
long c17 = 2 * (a[2] * a[15] + a[3] * a[14] + a[4] * a[13] + a[5] * a[12] + a[6] * a[11] + a[7] * a[10] + a[8] * a[9]);
long c18 = a[9] * a[9] + 2 * (a[3] * a[15] + a[4] * a[14] + a[5] * a[13] + a[6] * a[12] + a[7] * a[11] + a[8] * a[10]);
long c19 = 2 * (a[4] * a[15] + a[5] * a[14] + a[6] * a[13] + a[7] * a[12] + a[8] * a[11] + a[9] * a[10]);
long c20 = a[10] * a[10] + 2 * (a[5] * a[15] + a[6] * a[14] + a[7] * a[13] + a[8] * a[12] + a[9] * a[11]);
long c21 = 2 * (a[6] * a[15] + a[7] * a[14] + a[8] * a[13] + a[9] * a[12] + a[10] * a[11]);
long c22 = a[11] * a[11] + 2 * (a[7] * a[15] + a[8] * a[14] + a[9] * a[13] + a[10] * a[12]);
long c23 = 2 * (a[8] * a[15] + a[9] * a[14] + a[10] * a[13] + a[11] * a[12]);
long c24 = a[12] * a[12] + 2 * (a[9] * a[15] + a[10] * a[14] + a[11] * a[13]);
long c25 = 2 * (a[10] * a[15] + a[11] * a[14] + a[12] * a[13]);
long c26 = a[13] * a[13] + 2 * (a[11] * a[15] + a[12] * a[14]);
long c27 = 2 * (a[12] * a[15] + a[13] * a[14]);
long c28 = a[14] * a[14] + 2 * a[13] * a[15];
long c29 = 2 * a[14] * a[15];
long c30 = a[15] * a[15];
carryReduce(r, c0, c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11, c12,
c13, c14, c15, c16, c17, c18, c19, c20, c21, c22, c23, c24, c25,
c26, c27, c28, c29, c30);
}
}

273
test/jdk/sun/security/util/math/BigIntegerModuloP.java Normal file
View File

@ -0,0 +1,273 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import sun.security.util.math.*;
import java.math.BigInteger;
import java.nio.ByteBuffer;
/**
* Arithmetic in the field of integers modulo a prime value implemented using
* BigInteger. This implementation is very versatile, but it is slow and none
* of the operations are value-independent. This class is intended for use in
* testing and prototyping, and production code should probably use a more
* specialized arithmetic implementation.
*/
public class BigIntegerModuloP implements IntegerFieldModuloP {
private final BigInteger p;
public BigIntegerModuloP(BigInteger p) {
this.p = p;
}
@Override
public BigInteger getSize() {
return p;
}
@Override
public ImmutableElement get0() {
return new ImmutableElement(BigInteger.ZERO);
}
@Override
public ImmutableElement get1() {
return new ImmutableElement(BigInteger.ONE);
}
@Override
public ImmutableElement getElement(BigInteger v) {
return new ImmutableElement(v);
}
@Override
public ImmutableElement getElement(byte[] v, int offset, int length,
byte highByte) {
byte[] bigIntIn = new byte[length + 1];
System.arraycopy(v, offset, bigIntIn, 0, length);
bigIntIn[length] = highByte;
reverse(bigIntIn);
return new ImmutableElement(new BigInteger(1, bigIntIn).mod(getSize()));
}
@Override
public SmallValue getSmallValue(int i) {
return new SmallElement(i);
}
private abstract class Element implements IntegerModuloP {
protected BigInteger v;
protected Element(BigInteger v) {
this.v = v;
}
protected Element(boolean v) {
this.v = BigInteger.valueOf(v ? 1 : 0);
}
private BigInteger getModulus() {
return getField().getSize();
}
@Override
public IntegerFieldModuloP getField() {
return BigIntegerModuloP.this;
}
@Override
public BigInteger asBigInteger() {
return v;
}
@Override
public MutableElement mutable() {
return new MutableElement(v);
}
@Override
public ImmutableElement fixed() {
return new ImmutableElement(v);
}
@Override
public ImmutableElement add(IntegerModuloP b) {
return new ImmutableElement(
v.add(b.asBigInteger()).mod(getModulus()));
}
@Override
public ImmutableElement additiveInverse() {
return new ImmutableElement(v.negate().mod(getModulus()));
}
@Override
public ImmutableElement multiply(IntegerModuloP b) {
return new ImmutableElement(
v.multiply(b.asBigInteger()).mod(getModulus()));
}
@Override
public void addModPowerTwo(IntegerModuloP arg, byte[] result) {
BigInteger biThis = asBigInteger();
BigInteger biArg = arg.asBigInteger();
bigIntAsByteArray(biThis.add(biArg), result);
}
private void bigIntAsByteArray(BigInteger arg, byte[] result) {
byte[] bytes = arg.toByteArray();
// bytes is backwards and possibly too big
// Copy the low-order bytes into result in reverse
int sourceIndex = bytes.length - 1;
for (int i = 0; i < result.length; i++) {
if (sourceIndex >= 0) {
result[i] = bytes[sourceIndex--];
} else {
result[i] = 0;
}
}
}
@Override
public void asByteArray(byte[] result) {
bigIntAsByteArray(v, result);
}
}
private class ImmutableElement extends Element
implements ImmutableIntegerModuloP {
private ImmutableElement(BigInteger v) {
super(v);
}
}
private class MutableElement extends Element
implements MutableIntegerModuloP {
private MutableElement(BigInteger v) {
super(v);
}
@Override
public void conditionalSwapWith(MutableIntegerModuloP b, int swap) {
if (swap == 1) {
BigInteger temp = v;
v = b.asBigInteger();
((Element) b).v = temp;
}
}
@Override
public MutableElement setValue(IntegerModuloP v) {
this.v = ((Element) v).v;
return this;
}
@Override
public MutableElement setValue(byte[] arr, int offset, int length,
byte highByte) {
byte[] bigIntIn = new byte[length + 1];
System.arraycopy(arr, offset, bigIntIn, 0, length);
bigIntIn[length] = highByte;
reverse(bigIntIn);
v = new BigInteger(bigIntIn).mod(getSize());
return this;
}
@Override
public MutableElement setValue(ByteBuffer buf, int length,
byte highByte) {
byte[] bigIntIn = new byte[length + 1];
buf.get(bigIntIn, 0, length);
bigIntIn[length] = highByte;
reverse(bigIntIn);
v = new BigInteger(bigIntIn).mod(getSize());
return this;
}
@Override
public MutableElement setSquare() {
v = v.multiply(v).mod(getSize());
return this;
}
@Override
public MutableElement setProduct(IntegerModuloP b) {
Element other = (Element) b;
v = v.multiply(other.v).mod(getSize());
return this;
}
@Override
public MutableElement setProduct(SmallValue value) {
BigInteger bigIntValue = ((SmallElement) value).asBigInteger();
v = v.multiply(bigIntValue).mod(getSize());
return this;
}
@Override
public MutableElement setSum(IntegerModuloP b) {
Element other = (Element) b;
v = v.add(other.v).mod(getSize());
return this;
}
@Override
public MutableElement setDifference(IntegerModuloP b) {
Element other = (Element) b;
v = v.subtract(other.v).mod(getSize());
return this;
}
}
private class SmallElement extends ImmutableElement implements SmallValue {
public SmallElement(int v) {
super(BigInteger.valueOf(v).mod(getSize()));
}
}
private static void swap(byte[] arr, int i, int j) {
byte tmp = arr[i];
arr[i] = arr[j];
arr[j] = tmp;
}
private static void reverse(byte [] arr) {
int i = 0;
int j = arr.length - 1;
while (i < j) {
swap(arr, i, j);
i++;
j--;
}
}
}

377
test/jdk/sun/security/util/math/TestIntegerModuloP.java Normal file
View File

@ -0,0 +1,377 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8181594
* @summary Test proper operation of integer field arithmetic
* @modules java.base/sun.security.util java.base/sun.security.util.math java.base/sun.security.util.math.intpoly
* @build BigIntegerModuloP
* @run main TestIntegerModuloP sun.security.util.math.intpoly.IntegerPolynomial25519 32 0
* @run main TestIntegerModuloP sun.security.util.math.intpoly.IntegerPolynomial448 56 1
* @run main TestIntegerModuloP sun.security.util.math.intpoly.IntegerPolynomial1305 16 2
*/
import sun.security.util.math.*;
import java.util.function.*;
import java.util.*;
import java.math.*;
import java.nio.*;
public class TestIntegerModuloP {
static BigInteger TWO = BigInteger.valueOf(2);
// The test has a list of functions, and it selects randomly from that list
// The function types
interface ElemFunction extends BiFunction
<MutableIntegerModuloP, IntegerModuloP, IntegerModuloP> { }
interface ElemArrayFunction extends BiFunction
<MutableIntegerModuloP, IntegerModuloP, byte[]> { }
interface TriConsumer <T, U, V> {
void accept(T t, U u, V v);
}
interface ElemSetFunction extends TriConsumer
<MutableIntegerModuloP, IntegerModuloP, byte[]> { }
// The lists of functions. Multiple lists are needed because the test
// respects the limitations of the arithmetic implementations.
static final List<ElemFunction> ADD_FUNCTIONS = new ArrayList<>();
static final List<ElemFunction> MULT_FUNCTIONS = new ArrayList<>();
static final List<ElemArrayFunction> ARRAY_FUNCTIONS = new ArrayList<>();
static final List<ElemSetFunction> SET_FUNCTIONS = new ArrayList<>();
static void setUpFunctions(IntegerFieldModuloP field, int length) {
ADD_FUNCTIONS.clear();
MULT_FUNCTIONS.clear();
SET_FUNCTIONS.clear();
ARRAY_FUNCTIONS.clear();
byte highByte = (byte)
(field.getSize().bitLength() > length * 8 ? 1 : 0);
// add functions are (im)mutable add/subtract
ADD_FUNCTIONS.add(IntegerModuloP::add);
ADD_FUNCTIONS.add(IntegerModuloP::subtract);
ADD_FUNCTIONS.add(MutableIntegerModuloP::setSum);
ADD_FUNCTIONS.add(MutableIntegerModuloP::setDifference);
// also include functions that return the first/second argument
ADD_FUNCTIONS.add((a, b) -> a);
ADD_FUNCTIONS.add((a, b) -> b);
// mult functions are (im)mutable multiply and square
MULT_FUNCTIONS.add(IntegerModuloP::multiply);
MULT_FUNCTIONS.add((a, b) -> a.square());
MULT_FUNCTIONS.add((a, b) -> b.square());
MULT_FUNCTIONS.add(MutableIntegerModuloP::setProduct);
MULT_FUNCTIONS.add((a, b) -> a.setSquare());
// also test multiplication by a small value
MULT_FUNCTIONS.add((a, b) -> a.setProduct(b.getField().getSmallValue(
b.asBigInteger().mod(BigInteger.valueOf(262144)).intValue())));
// set functions are setValue with various argument types
SET_FUNCTIONS.add((a, b, c) -> a.setValue(b));
SET_FUNCTIONS.add((a, b, c) ->
a.setValue(c, 0, c.length, (byte) 0));
SET_FUNCTIONS.add((a, b, c) ->
a.setValue(ByteBuffer.wrap(c, 0, c.length).order(ByteOrder.LITTLE_ENDIAN),
c.length, highByte));
// array functions return the (possibly modified) value as byte array
ARRAY_FUNCTIONS.add((a, b ) -> a.asByteArray(length));
ARRAY_FUNCTIONS.add((a, b) -> a.addModPowerTwo(b, length));
}
public static void main(String[] args) {
String className = args[0];
final int length = Integer.parseInt(args[1]);
int seed = Integer.parseInt(args[2]);
Class<IntegerFieldModuloP> fieldBaseClass = IntegerFieldModuloP.class;
try {
Class<? extends IntegerFieldModuloP> clazz =
Class.forName(className).asSubclass(fieldBaseClass);
IntegerFieldModuloP field =
clazz.getDeclaredConstructor().newInstance();
setUpFunctions(field, length);
runFieldTest(field, length, seed);
} catch (Exception ex) {
throw new RuntimeException(ex);
}
System.out.println("All tests passed");
}
static void assertEqual(IntegerModuloP e1, IntegerModuloP e2) {
if (!e1.asBigInteger().equals(e2.asBigInteger())) {
throw new RuntimeException("values not equal: "
+ e1.asBigInteger() + " != " + e2.asBigInteger());
}
}
// A class that holds pairs of actual/expected values, and allows
// computation on these pairs.
static class TestPair<T extends IntegerModuloP> {
private final T test;
private final T baseline;
public TestPair(T test, T baseline) {
this.test = test;
this.baseline = baseline;
}
public T getTest() {
return test;
}
public T getBaseline() {
return baseline;
}
private void assertEqual() {
TestIntegerModuloP.assertEqual(test, baseline);
}
public TestPair<MutableIntegerModuloP> mutable() {
return new TestPair<>(test.mutable(), baseline.mutable());
}
public
<R extends IntegerModuloP, X extends IntegerModuloP>
TestPair<X> apply(BiFunction<T, R, X> func, TestPair<R> right) {
X testResult = func.apply(test, right.test);
X baselineResult = func.apply(baseline, right.baseline);
return new TestPair(testResult, baselineResult);
}
public
<U extends IntegerModuloP, V>
void apply(TriConsumer<T, U, V> func, TestPair<U> right, V argV) {
func.accept(test, right.test, argV);
func.accept(baseline, right.baseline, argV);
}
public
<R extends IntegerModuloP>
void applyAndCheckArray(BiFunction<T, R, byte[]> func,
TestPair<R> right) {
byte[] testResult = func.apply(test, right.test);
byte[] baselineResult = func.apply(baseline, right.baseline);
if (!Arrays.equals(testResult, baselineResult)) {
throw new RuntimeException("Array values do not match: "
+ byteArrayToHexString(testResult) + " != "
+ byteArrayToHexString(baselineResult));
}
}
}
static String byteArrayToHexString(byte[] arr) {
StringBuilder result = new StringBuilder();
for (int i = 0; i < arr.length; ++i) {
byte curVal = arr[i];
result.append(Character.forDigit(curVal >> 4 & 0xF, 16));
result.append(Character.forDigit(curVal & 0xF, 16));
}
return result.toString();
}
static TestPair<IntegerModuloP>
applyAndCheck(ElemFunction func, TestPair<MutableIntegerModuloP> left,
TestPair<IntegerModuloP> right) {
TestPair<IntegerModuloP> result = left.apply(func, right);
result.assertEqual();
left.assertEqual();
right.assertEqual();
return result;
}
static void
setAndCheck(ElemSetFunction func, TestPair<MutableIntegerModuloP> left,
TestPair<IntegerModuloP> right, byte[] argV) {
left.apply(func, right, argV);
left.assertEqual();
right.assertEqual();
}
static TestPair<MutableIntegerModuloP>
applyAndCheckMutable(ElemFunction func,
TestPair<MutableIntegerModuloP> left,
TestPair<IntegerModuloP> right) {
TestPair<IntegerModuloP> result = applyAndCheck(func, left, right);
TestPair<MutableIntegerModuloP> mutableResult = result.mutable();
mutableResult.assertEqual();
result.assertEqual();
left.assertEqual();
right.assertEqual();
return mutableResult;
}
static void
cswapAndCheck(int swap, TestPair<MutableIntegerModuloP> left,
TestPair<MutableIntegerModuloP> right) {
left.getTest().conditionalSwapWith(right.getTest(), swap);
left.getBaseline().conditionalSwapWith(right.getBaseline(), swap);
left.assertEqual();
right.assertEqual();
}
// Request arithmetic that should overflow, and ensure that overflow is
// detected.
static void runOverflowTest(TestPair<IntegerModuloP> elem) {
TestPair<MutableIntegerModuloP> mutableElem = elem.mutable();
try {
for (int i = 0; i < 1000; i++) {
applyAndCheck(MutableIntegerModuloP::setSum, mutableElem, elem);
}
applyAndCheck(MutableIntegerModuloP::setProduct, mutableElem, elem);
} catch (ArithmeticException ex) {
// this is expected
}
mutableElem = elem.mutable();
try {
for (int i = 0; i < 1000; i++) {
elem = applyAndCheck(IntegerModuloP::add,
mutableElem, elem);
}
applyAndCheck(IntegerModuloP::multiply, mutableElem, elem);
} catch (ArithmeticException ex) {
// this is expected
}
}
// Run a large number of random operations and ensure that
// results are correct
static void runOperationsTest(Random random, int length,
TestPair<IntegerModuloP> elem,
TestPair<IntegerModuloP> right) {
TestPair<MutableIntegerModuloP> left = elem.mutable();
for (int i = 0; i < 10000; i++) {
ElemFunction addFunc1 =
ADD_FUNCTIONS.get(random.nextInt(ADD_FUNCTIONS.size()));
TestPair<MutableIntegerModuloP> result1 =
applyAndCheckMutable(addFunc1, left, right);
// left could have been modified, so turn it back into a summand
applyAndCheckMutable((a, b) -> a.setSquare(), left, right);
ElemFunction addFunc2 =
ADD_FUNCTIONS.get(random.nextInt(ADD_FUNCTIONS.size()));
TestPair<IntegerModuloP> result2 =
applyAndCheck(addFunc2, left, right);
ElemFunction multFunc2 =
MULT_FUNCTIONS.get(random.nextInt(MULT_FUNCTIONS.size()));
TestPair<MutableIntegerModuloP> multResult =
applyAndCheckMutable(multFunc2, result1, result2);
int swap = random.nextInt(2);
cswapAndCheck(swap, left, multResult);
ElemSetFunction setFunc =
SET_FUNCTIONS.get(random.nextInt(SET_FUNCTIONS.size()));
byte[] valueArr = new byte[length];
random.nextBytes(valueArr);
setAndCheck(setFunc, result1, result2, valueArr);
// left could have been modified, so to turn it back into a summand
applyAndCheckMutable((a, b) -> a.setSquare(), left, right);
ElemArrayFunction arrayFunc =
ARRAY_FUNCTIONS.get(random.nextInt(ARRAY_FUNCTIONS.size()));
left.applyAndCheckArray(arrayFunc, right);
}
}
// Run all the tests for a given field
static void runFieldTest(IntegerFieldModuloP testField,
int length, int seed) {
System.out.println("Testing: " + testField.getClass().getSimpleName());
Random random = new Random(seed);
IntegerFieldModuloP baselineField =
new BigIntegerModuloP(testField.getSize());
int numBits = testField.getSize().bitLength();
BigInteger r =
new BigInteger(numBits, random).mod(testField.getSize());
TestPair<IntegerModuloP> rand =
new TestPair(testField.getElement(r), baselineField.getElement(r));
runOverflowTest(rand);
// check combinations of operations for different kinds of elements
List<TestPair<IntegerModuloP>> testElements = new ArrayList<>();
testElements.add(rand);
testElements.add(new TestPair(testField.get0(), baselineField.get0()));
testElements.add(new TestPair(testField.get1(), baselineField.get1()));
byte[] testArr = {121, 37, -100, -5, 76, 33};
testElements.add(new TestPair(testField.getElement(testArr),
baselineField.getElement(testArr)));
testArr = new byte[length];
random.nextBytes(testArr);
testElements.add(new TestPair(testField.getElement(testArr),
baselineField.getElement(testArr)));
random.nextBytes(testArr);
byte highByte = (byte) (numBits > length * 8 ? 1 : 0);
testElements.add(
new TestPair(
testField.getElement(testArr, 0, testArr.length, highByte),
baselineField.getElement(testArr, 0, testArr.length, highByte)
)
);
for (int i = 0; i < testElements.size(); i++) {
for (int j = 0; j < testElements.size(); j++) {
runOperationsTest(random, length, testElements.get(i),
testElements.get(j));
}
}
}
}